Download - Chapter 16 Cisco IOS IPS
CHAPTER 16CISCO IOS IPS
2
SECURING NETWORKS WITH IDS AND IPS
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) sensors protect your network from malicious traffic. The two systems are deployed differently and scan for malicious traffic in different ways. Each system has strengths and weaknesses when deployed separately, but when used together, IDS and IPS can provide a much richer and deeper level of security
3
BASIC FUNCTIONS OF THE INTRUSION DETECTION SYSTEM (IDS)
IDS is typically characterized as a passive listening device. This label is given to these systems because traffic does not have to pass through the system; IDS sensors listen promiscuously to all traffic on the network
4
BASIC FUNCTIONS OF THE INTRUSION PREVENTION SYSTEM (IPS)
IPS is characterized as an active device. This is because the device is implemented as an inline sensor. The IPS requires the use of more than one interface, and all traffic must pass through the sensor. Network traffic enters through one interface and exits through another
5
USING IDS AND IPS TOGETHER
When you think about having one or the other of these sensors on your network, think about the benefits you would get from having both. An IPS sensor is much like a firewall; it can block traffic that is malicious or threatening. It should only block traffic that is known to be a threat, though. IPS should not block legitimate traffic or you could suffer a disruption in legitimate connectivity and find that applications are unable to perform their tasks
6
BENEFITS AND DRAWBACKS OF IPS/IDS SENSORS A network-based monitoring system has the
benefit of easily seeing attacks that are occurring across the entire network
Encryption of the network traffic stream can effectively blind the sensor. Reconstructing fragmented traffic can also be a difficult problem to solve
7
TYPES OF IDS AND IPS SENSORS
Network Based (NIPS,NIDS)
Host Based (HIPS,HIDS)
8
NETWORK BASED INTRUSION PREVENTION SYSTEM (NIPS) Network-based sensors examine packets and
traffic that are traversing through the network for known signs of malicious activity. Because these systems are watching network traffic, any attack signatures detected may succeed or fail. It is usually difficult, if not impossible, for network-based monitoring systems to assess the success or failure of the actual attacks
9
HOST BASED INTRUSION PREVENTION SYSTEM(HIPS) A host-based sensor examines information at
the local host or operating system. The HIPS has full access to the internals of the end station, and can relate incoming traffic to the activity on the end station to understand the context. Host-based sensors can be implemented to a couple of different complexity levels
10
MALICIOUS TRAFFIC IDENTIFICATION APPROACHES
Signature-based
Policy-based
Anomaly-based
Honeypot
11
SIGNATURE TYPES
Exploit signatures
Connection signatures
String signatures
DoS signatures
12
IPS ALARMS
An IPS sensor can react in real time when a signature is matched. This allows the sensor to act before network security has been compromised. The sensor can optionally log whatever happened with a syslog message or Security Device Event Exchange (SDEE)
13
CONFIGURING IOS IPS
It is now time to look at the configuration of IOS IPS. This section takes you through the configuration process using the SDM interface. The SDM gives you quite a few configuration capabilities for IOS IPS. You can configure every option through the IPS Edit menu
14
SDM HOME SCREEN
15
DEFAULT CONFIGURATION SCREEN
16
DEFAULT IPS SCREEN
17
SDEE ENABLE NOTIFICATION
18
IPS WIZARD WELCOME SCREEN
19
SELECT INTERFACES SCREEN
20
SDF LOCATIONS SCREEN
21
ADD A SIGNATURE LOCATION DIALOG BOX
22
SDF LOCATIONS WITH FILE ADDED
23
WIZARD SUMMARY PAGE
24
SUMMARY